Google expands Android bug-hunting program; top reward is now USD1.5 million

Google has increased the reward amount for its bug-hunting program to USD 1.5 million, the tech giant wrote in a blog post. Google's Android Security Rewards (ASR) program recognizes security researchers who discover vulnerabilities in the latest available Android versions for Pixel phones and tablets. 

Today, we’re expanding the program and increasing reward amounts. We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million.

Google Pixel devices incorporate Titan M chip, a second-generation, low-power security module that contains many defenses to protect against external attacks. The Google Pixel 3 with Titan M has been labeled as having the most “strong” ratings in the built-in security section out of all devices evaluated by Gartner. "This is why we’ve created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections," Google further wrote in the blog post.

Over the last 12 months, more than 100 participating researchers have received an average reward amount of over USD3,800 per finding, with total payouts crossing USD1.5 million. The top reward for the year 2019 was USD 161,337.

In addition to exploits involving Pixel Titan M, we have added other categories of exploits to the rewards program, such as those involving data exfiltration and lockscreen bypass. These rewards go up to $500,000 depending on the exploit category. 

The new rewards are effective from November 21.